We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

And if you ask if you are affected by this bug,

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL.

It’s serious. It’s so serious that the bug has forced Canada’s tax agency to block the public access to its online services just 3 weeks ahead of the April 30 deadline for filing personal income tax.

It’s vicious. You won’t know if you are the victim, unless an attacker blackmails you, publishes your information online, or steals a trade secret and use it.

The immediate advice to protect yourself would be to change the password on the sites that hold your critical information, such as online banking, email accounts, and etc.

But, you may want to hold on this advice for now, and wait until the bug is fixed. Changing a password on a site that hasn’t been fixed could simply hand the new password over to hackers.

It’s recommended that before making any changes, check a site for an announcement that it has dealt with the issue. Or check out the site to see if it’s still vulnerable before taking the action change your password with this tool: